mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-09-01 14:55:12 +00:00
Code Issues Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller
2007-07-09 23:40:49 +00:00
parent e8dc37d798
commit c0ffb8ce36
2 changed files with 298 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
sudo.man.in
View File

@@ -150,7 +150,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo, sudoedit \- execute a command as another user sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
@@ -163,7 +163,7 @@ sudo, sudoedit \- execute a command as another user
[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} [\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR}
.PP .PP
\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] \&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
file [...] file [...]
.SH "DESCRIPTION" .SH "DESCRIPTION"
@@ -410,10 +410,12 @@ line arguments. It is most useful in conjunction with the \fB\-s\fR flag.
.PP .PP
Environment variables to be set for the command may also be passed Environment variables to be set for the command may also be passed
on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g. on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. This is only permitted \&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
when the \fIsetenv\fR option is set in \fIsudoers\fR or the command to command line are subject to the same restrictions as normal environment
be run has the \f(CW\*(C`SETENV\*(C'\fR tag set. See sudoers(@mansectform@) variables with one important exception. If the \fIsetenv\fR option
for more information. is set in \fIsudoers\fR or the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
set the user may set variables that would overwise be forbidden.
See sudoers(@mansectform@) for more information.
.SH "RETURN VALUES" .SH "RETURN VALUES"
.IX Header "RETURN VALUES" .IX Header "RETURN VALUES"
Upon successful execution of a program, the return value from \fBsudo\fR Upon successful execution of a program, the return value from \fBsudo\fR
@@ -432,25 +434,35 @@ of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is curren
unreachable. unreachable.
.SH "SECURITY NOTES" .SH "SECURITY NOTES"
.IX Header "SECURITY NOTES" .IX Header "SECURITY NOTES"
\&\fBsudo\fR tries to be safe when executing external commands. Variables \&\fBsudo\fR tries to be safe when executing external commands.
that control how dynamic loading and binding is done can be used .PP
to subvert the program that \fBsudo\fR runs. To combat this the There are two distinct ways to deal with environment variables.
\&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0 By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled.
only) environment variables are removed from the environment passed This causes commands to be executed with a minimal environment
on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR, containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR
\&\f(CW\*(C`CDPATH\*(C'\fR, \f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR, and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process
\&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR, permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options.
\&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and There is effectively a whitelist for environment variables.
\&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the .PP
\&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored. If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. Environment variables options are inherited from the invoking process. In this case,
with a value beginning with \f(CW\*(C`()\*(C'\fR are also removed as they could \&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it
be interpreted as \fBbash\fR functions. If \fBsudo\fR has been is not possible to blacklist all potentially dangerous environment
compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and variables, use of the default \fIenv_reset\fR behavior is encouraged.
\&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment .PP
variables that \fBsudo\fR clears is contained in the output of In all cases, environment variables with a value beginning with
\&\f(CW\*(C`sudo \-V\*(C'\fR when run as root. \&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
The list of environment variables that \fBsudo\fR allows or denies is
contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
.PP
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
setuid executables, including \fBsudo\fR. Depending on the operating
system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
removed from the environment before \fBsudo\fR even begins execution
and, as such, it is not possible for \fBsudo\fR to preserve them.
.PP .PP
To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
current directory) last when searching for a command in the user's current directory) last when searching for a command in the user's
@@ -458,11 +470,6 @@ current directory) last when searching for a command in the user's
actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
unchanged to the program that \fBsudo\fR executes. unchanged to the program that \fBsudo\fR executes.
.PP .PP
For security reasons, if your \s-1OS\s0 supports shared libraries and does
not disable user-defined library search paths for setuid programs
(most do), you should either use a linker option that disables this
behavior or link \fBsudo\fR statically.
.PP
\&\fBsudo\fR will check the ownership of its timestamp directory \&\fBsudo\fR will check the ownership of its timestamp directory
(\fI@timedir@\fR by default) and ignore the directory's contents if (\fI@timedir@\fR by default) and ignore the directory's contents if
it is not owned by root or if it is writable by a user other than it is not owned by root or if it is writable by a user other than
@@ -556,7 +563,7 @@ sudoers(@mansectform@).
.IX Header "FILES" .IX Header "FILES"
.Vb 2 .Vb 2
\& @sysconfdir@/sudoers List of who can run what \& @sysconfdir@/sudoers List of who can run what
\& @timedir@ Directory containing timestamps \& @timedir@ Directory containing timestamps
.Ve .Ve
.SH "EXAMPLES" .SH "EXAMPLES"
.IX Header "EXAMPLES" .IX Header "EXAMPLES"

512
sudoers.man.in
View File

@@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS @mansectform@" .IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS" .TH SUDOERS @mansectform@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudoers \- list of which users may execute what sudoers \- list of which users may execute what
.SH "DESCRIPTION" .SH "DESCRIPTION"
@@ -397,6 +397,260 @@ These operators are used to add to and delete from a list respectively.
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
that does not exist in a list. that does not exist in a list.
.PP .PP
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
.Sh "User Specification"
.IX Subsection "User Specification"
.Vb 2
\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
\& (':' Host_List '=' Cmnd_Spec_List)*
.Ve
.PP
.Vb 2
\& Cmnd_Spec_List ::= Cmnd_Spec |
\& Cmnd_Spec ',' Cmnd_Spec_List
.Ve
.PP
.Vb 1
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
.Ve
.PP
.Vb 1
\& Runas_Spec ::= '(' Runas_List ')'
.Ve
.PP
.Vb 2
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
Let's break that down into its constituent parts:
.Sh "Runas_Spec"
.IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
enclosed in a set of parentheses. If you do not specify a
\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
commands that follow it. What this means is that for the entry:
.PP
.Vb 1
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
.Ve
.PP
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
.PP
.Vb 1
\& $ sudo -u operator /bin/ls.
.Ve
.PP
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
entry. If we modify the entry like so:
.PP
.Vb 1
\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
.Ve
.PP
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
.Sh "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
overrides \f(CW\*(C`EXEC\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
.PP
By default, \fBsudo\fR requires that a user authenticate him or herself
before running a command. This behavior can be modified via the
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
For example:
.PP
.Vb 1
\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
.Ve
.PP
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
authenticating himself. If we only want \fBray\fR to be able to
run \fI/bin/kill\fR without a password the entry would be:
.PP
.Vb 1
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
.Ve
.PP
Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
in the group specified by the \fIexempt_group\fR option.
.PP
By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
for a user on the current host, he or she will be able to run
\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
for all a user's entries that pertain to the current host.
This behavior may be overridden via the verifypw and listpw options.
.PP
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
.IX Subsection "NOEXEC and EXEC"
.PP
If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
a dynamically-linked executable from running further commands itself.
.PP
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
and \fI/usr/bin/vi\fR but shell escapes will be disabled.
.PP
.Vb 1
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
.PP
\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
.IX Subsection "SETENV and NOSETENV"
.PP
These tags override the value of the \fIsetenv\fR option on a per-command
basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
environment variables set on the command line way are not subject
to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
variables in this manner.
.PP
\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
.IX Subsection "MONITOR and NOMONITOR"
.PP
If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command
to be checked against \fIsudoers\fR and logged just like they would
be if run through \fBsudo\fR directly. This is useful in conjunction
with commands that allow shell escapes such as editors, shells and
paginators.
.PP
In the following example, user \fBchuck\fR may run any command on the
machine research in monitor mode.
.PP
.Vb 1
\& chuck research = MONITOR: ALL
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system.
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
to be used in pathnames as well as command line arguments in the
\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
.ie n .IP "\*(C`*\*(C'" 8
.el .IP "\f(CW\*(C`*\*(C'\fR" 8
.IX Item "*"
Matches any set of zero or more characters.
.ie n .IP "\*(C`?\*(C'" 8
.el .IP "\f(CW\*(C`?\*(C'\fR" 8
.IX Item "?"
Matches any single character.
.ie n .IP "\*(C`[...]\*(C'" 8
.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
.IX Item "[...]"
Matches any character in the specified range.
.ie n .IP "\*(C`[!...]\*(C'" 8
.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
.IX Item "[!...]"
Matches any character \fBnot\fR in the specified range.
.ie n .IP "\*(C`\ex\*(C'" 8
.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
.IX Item "x"
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
.PP
Note that a forward slash ('/') will \fBnot\fR be matched by
wildcards used in the pathname. When matching the command
line arguments, however, a slash \fBdoes\fR get matched by
wildcards. This is to make a path like:
.PP
.Vb 1
\& /usr/bin/*
.Ve
.PP
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
.Sh "Exceptions to wildcard rules"
.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.ie n .IP """""" 8
.el .IP "\f(CW``''\fR" 8
.IX Item """"""
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
.Sh "Including other files from within sudoers"
.IX Subsection "Including other files from within sudoers"
It is possible to include other \fIsudoers\fR files from within the
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
directive, similar to the one used by the C preprocessor. This is
useful, for example, for keeping a site-wide \fIsudoers\fR file in
addition to a per-machine local one. For the sake of this example
the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
.PP
.Vb 1
\& #include /etc/sudoers.local
.Ve
.PP
When \fBsudo\fR reaches this line it will suspend processing of the
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
\&\fI/etc/sudoers\fR will be processed. Files that are included may
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.Sh "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
part of a #include directive or unless it occurs in the context of
a user name and is followed by one or more digits, in which case
it is treated as a uid). Both the comment character and any text
after it, up to the end of the line, are ignored.
.PP
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
a match to succeed. It can be used wherever one might otherwise
use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
built-in alias will be used in preference to your own. Please note
that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
allows the user to run \fBany\fR command on the system.
.PP
An exclamation point ('!') can be used as a logical \fInot\fR operator
both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
\&\s-1NOTES\s0 below).
.PP
Long lines can be continued with a backslash ('\e') as the last
character on the line.
.PP
Whitespace between elements in a list as well as special syntactic
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
.PP
The following characters must be escaped with a backslash ('\e') when
used as part of a word (e.g.\ a username or hostname):
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
Sudo's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
explained earlier. A list of all supported Defaults parameters,
grouped by type, are listed below.
.PP
\&\fBFlags\fR: \&\fBFlags\fR:
.IP "long_otp_prompt" 12 .IP "long_otp_prompt" 12
.IX Item "long_otp_prompt" .IX Item "long_otp_prompt"
@@ -655,11 +909,11 @@ to specify a different file descriptor at which to start closing.
The default is 3. The default is 3.
.IP "setenv" 12 .IP "setenv" 12
.IX Item "setenv" .IX Item "setenv"
Allow the user to set additional environment variables from the Allow the user to disable the \fIenv_reset\fR option from the command
command line. Note that variables set this way are not subject to line. Additionally, environment variables set via the command line
the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or are not subject to the restrictions imposed by \fIenv_check\fR,
\&\fIenv_reset\fR. As such, only trusted users should be allowed to set \&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
variables in this manner. be allowed to set variables in this manner.
.PP .PP
\&\fBStrings\fR: \&\fBStrings\fR:
.IP "mailsub" 12 .IP "mailsub" 12
@@ -896,252 +1150,6 @@ for the syslog facility (the value of the \fBsyslog\fR Parameter):
\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are \&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
\&\fBnotice\fR, and \fBwarning\fR. \&\fBnotice\fR, and \fBwarning\fR.
.Sh "User Specification"
.IX Subsection "User Specification"
.Vb 2
\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
\& (':' Host_List '=' Cmnd_Spec_List)*
.Ve
.PP
.Vb 2
\& Cmnd_Spec_List ::= Cmnd_Spec |
\& Cmnd_Spec ',' Cmnd_Spec_List
.Ve
.PP
.Vb 1
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
.Ve
.PP
.Vb 1
\& Runas_Spec ::= '(' Runas_List ')'
.Ve
.PP
.Vb 2
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
Let's break that down into its constituent parts:
.Sh "Runas_Spec"
.IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
enclosed in a set of parentheses. If you do not specify a
\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
commands that follow it. What this means is that for the entry:
.PP
.Vb 1
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
.Ve
.PP
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
.PP
.Vb 1
\& $ sudo -u operator /bin/ls.
.Ve
.PP
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
entry. If we modify the entry like so:
.PP
.Vb 1
\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
.Ve
.PP
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
.Sh "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
overrides \f(CW\*(C`EXEC\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
.PP
By default, \fBsudo\fR requires that a user authenticate him or herself
before running a command. This behavior can be modified via the
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
For example:
.PP
.Vb 1
\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
.Ve
.PP
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
authenticating himself. If we only want \fBray\fR to be able to
run \fI/bin/kill\fR without a password the entry would be:
.PP
.Vb 1
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
.Ve
.PP
Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
in the group specified by the \fIexempt_group\fR option.
.PP
By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
for a user on the current host, he or she will be able to run
\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
for all a user's entries that pertain to the current host.
This behavior may be overridden via the verifypw and listpw options.
.PP
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
.IX Subsection "NOEXEC and EXEC"
.PP
If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
a dynamically-linked executable from running further commands itself.
.PP
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
and \fI/usr/bin/vi\fR but shell escapes will be disabled.
.PP
.Vb 1
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
.PP
\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
.IX Subsection "SETENV and NOSETENV"
.PP
These tags override the value of the \fIsetenv\fR option on a per-command
basis. Note that environment variables set on the command line way
are not subject to the restrictions imposed by \fIenv_check\fR,
\&\fIenv_delete\fR, or \fIenv_reset\fR. As such, only trusted users should
be allowed to set variables in this manner.
.PP
\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
.IX Subsection "MONITOR and NOMONITOR"
.PP
If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command
to be checked against \fIsudoers\fR and logged just like they would
be if run through \fBsudo\fR directly. This is useful in conjunction
with commands that allow shell escapes such as editors, shells and
paginators.
.PP
In the following example, user \fBchuck\fR may run any command on the
machine research in monitor mode.
.PP
.Vb 1
\& chuck research = MONITOR: ALL
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system.
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
to be used in pathnames as well as command line arguments in the
\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
.ie n .IP "\*(C`*\*(C'" 8
.el .IP "\f(CW\*(C`*\*(C'\fR" 8
.IX Item "*"
Matches any set of zero or more characters.
.ie n .IP "\*(C`?\*(C'" 8
.el .IP "\f(CW\*(C`?\*(C'\fR" 8
.IX Item "?"
Matches any single character.
.ie n .IP "\*(C`[...]\*(C'" 8
.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
.IX Item "[...]"
Matches any character in the specified range.
.ie n .IP "\*(C`[!...]\*(C'" 8
.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
.IX Item "[!...]"
Matches any character \fBnot\fR in the specified range.
.ie n .IP "\*(C`\ex\*(C'" 8
.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
.IX Item "x"
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
.PP
Note that a forward slash ('/') will \fBnot\fR be matched by
wildcards used in the pathname. When matching the command
line arguments, however, a slash \fBdoes\fR get matched by
wildcards. This is to make a path like:
.PP
.Vb 1
\& /usr/bin/*
.Ve
.PP
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
.Sh "Exceptions to wildcard rules"
.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.ie n .IP """""" 8
.el .IP "\f(CW``''\fR" 8
.IX Item """"""
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
.Sh "Including other files from within sudoers"
.IX Subsection "Including other files from within sudoers"
It is possible to include other \fIsudoers\fR files from within the
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
directive, similar to the one used by the C preprocessor. This is
useful, for example, for keeping a site-wide \fIsudoers\fR file in
addition to a per-machine local one. For the sake of this example
the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
.PP
.Vb 1
\& #include /etc/sudoers.local
.Ve
.PP
When \fBsudo\fR reaches this line it will suspend processing of the
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
\&\fI/etc/sudoers\fR will be processed. Files that are included may
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.Sh "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
part of a #include directive or unless it occurs in the context of
a user name and is followed by one or more digits, in which case
it is treated as a uid). Both the comment character and any text
after it, up to the end of the line, are ignored.
.PP
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
a match to succeed. It can be used wherever one might otherwise
use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
built-in alias will be used in preference to your own. Please note
that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
allows the user to run \fBany\fR command on the system.
.PP
An exclamation point ('!') can be used as a logical \fInot\fR operator
both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
\&\s-1NOTES\s0 below).
.PP
Long lines can be continued with a backslash ('\e') as the last
character on the line.
.PP
Whitespace between elements in a list as well as special syntactic
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
.PP
The following characters must be escaped with a backslash ('\e') when
used as part of a word (e.g.\ a username or hostname):
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
.SH "FILES" .SH "FILES"
.IX Header "FILES" .IX Header "FILES"
.Vb 3 .Vb 3